Actions
Bug #1523
closedDecoded base64 payload short by 16 characters
Affected Versions:
Effort:
Difficulty:
Label:
Description
While comparing the decoded alert playload from EVE log and alert debug log data I have noticed that the decoded EVE base64 payload is short by 16 characters and there is non-printable hex at the beginning of the decoded data.
To generate an example of this issue I used the pcap at, http://www.malware-traffic-analysis.net/2015/07/31/2015-07-31-Angler-EK-and-CryptoWall-3.0.pcap, to generate the traffic and sid 2018452 to generate the alerts. EVE, alert-debug, and suricata log data have been included in the attached tar file.
Kernel:
Linux suri 3.2.0-4-amd64 1 SMP Debian 3.2.65-1+deb7u1 x86_64 GNU/Linux
Debian version:
7.8
Suricata build info:
This is Suricata version 2.1beta4 RELEASE Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS SIMD support: SSE_3 Atomic intrisics: 1 2 4 8 byte(s) 64-bits, Little-endian architecture GCC version 4.7.2, C version 199901 L1 cache line size (CLS)=64 thread local storage method: __thread compiled with LibHTP v0.5.17, linked against LibHTP v0.5.17 Suricata Configuration: AF_PACKET support: yes PF_RING support: no NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: yes libnspr support: yes libjansson support: yes Prelude support: no PCRE jit: yes LUA support: no libluajit: no libgeoip: no Non-bundled htp: no Old barnyard2 support: no CUDA enabled: no Suricatasc install: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Profiling enabled: no Profiling locks enabled: no Coccinelle / spatch: no Generic build parameters: Installation prefix (--prefix): /usr Configuration directory (--sysconfdir): /etc/suricata/ Log directory (--localstatedir) : /var/log/suricata/ Host: x86_64-unknown-linux-gnu GCC binary: gcc GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no
Files
Actions